Fragmented Android development creating greater security risks

Some flaws exist on over a ‘hundred phone models and affect millions of users’

The fragmentation of Android is creating additional security risks, as the rush to release new devices without sufficient testing is inadvertently introducing security flaws, security researchers have warned.

The researchers – Xiaoyong Zhou, Yeonjoon Lee, Nan Zhang, Muhammad Naveed and XiaoFeng Wang – uncovered flaws in customised drivers using a custom tool, dubbed Addicted, that they developed as part of the study into what they argue is an overlooked problem.

"Running ADDICTED on popular phone models, we discovered critical flaws that allow an unauthorized app to take pictures and screenshots, and even record the user’s input keys from touchscreen," the researchers (computer scientists from Indiana University, Bloomington and University of Illinois at Urbana-Champaign) warn. "Those vulnerabilities were found to exist on hundreds of other phone models."

An abstract of their paper, entitled The Peril of Fragmentation: Security Hazards in Android Device Driver Customizations (pdf), explains:

Android phone manufacturers are under the perpetual pressure to move quickly on their new models, continuously customising Android to fit their hardware.

However, the security implications of this practice are less known, particularly when it comes to the changes made to Android’s Linux device drivers, such as those for camera, GPS, NFC etc.

In this paper, we report the first study aimed at a better understanding of the security risks in this customisation process. Our study is based on ADDICTED, a new tool we built for automatically detecting some types of flaws in customised driver protection.

Specifically, on a customised phone, ADDICTED performs dynamic analysis to correlate the operations on a security-sensitive device to its related Linux files, and then determines whether those files are under-protected on the Linux layer by comparing them with their counterparts on an official Android OS.

In this way, we can detect a set of likely security flaws on the phone. Using the tool, we analyzed three popular phones from Samsung, identified their likely flaws and built end-to-end attacks that allow an unprivileged app to take pictures and screenshots, and even log the keys the user enters through touchscreen.

Some of those flaws are found to exist on over a hundred phone models and affect millions of users.

We reported the flaws and helped the manufacturers fix those problems. We further studied the security settings of device files on 2423 factory images from major phone manufacturers, discovered over 1,000 vulnerable images, and also gained insights about how they are distributed across different Android versions, carriers and countries.

Vendors and carriers are aggressively customising official OS versions to accommodate new hardware pieces and services, potentially undermining Android security protection in the process, the security researchers conclude.

More than 1,000 phone models distributed across different Android versions, carriers and countries are vulnerable for one reason or the other, the researchers argue.

Independent mobile security experts, such as Jon Sawyer from Applied Cyber Security, agree that Android customisation has the side effect of creating a greater security risk.

"AOSP [Android Open Source Project] code has had the most eyes on it, from Google, the SOC partners, the OEMs, the community. It is quite reviewed," Sawyer told El Reg. "Customised code only really has had eyes from it's OEM on it. Some are more reviewed, and better than others. Some appear as if the OEM doesn't even have anyone look at it."

"So yes, many bugs come from OEM customisations," Sawyer concluded.

The US computer scientist conclude that their research only "scratches the surface of the grand security challenges" that come with Android customisations. Their conclusions point towards further work that ought to be undertaken.

"Even on the Linux layer, still there are many device files we cannot interpret, not to mention detection of their security flaws," the researchers conclude.

"More importantly, further effort is expected to understand how to protect security-critical resources on different Android layers, and develop effective means to ensure that customized resources are still well guarded," they added.

The research (first presented in Oakland last year) has been picked up by other researchers and taken forward. For example, a talk by Ohad Bobrov and Avi Bashan at the Black Hat conference in Vegas next month draws heavily on the research of Xiaoyong Zhou et al. The Black Hat talk, entitled CERTIFI-GATE Front-door access to pwning millions of Android is due to show how even devices running the latest version of Android OS (Lollipop) can be hijacked.

Demonstration of an exploit against a live device is promised. Both Bobrov and Bashan worked for Lacoon Mobile Security before moving to Check Point.

El Reg approached Xiaoyong Zhou, who took time out to bring us up to speed on his work.

"We have reported all vulnerabilities to Samsung and Google, the report includes 69 phone models that contain vulnerabilities allow unauthorised apps to take screenshots, key logger and use the camera without user consent," Zhou explained.

"Samsung awarded us with a Samsung Note phone to show its acknowledgement. Samsung also fixed its flagship phone models since the report. In its new flagship phones such as S6, Note 4, we did not find similar vulnerabilities," he added.

Further comparative work into the security of different Android customisations by a mix of researchers from IC-UNICAMP and Samsung can be found here.

"Our conclusions indicate that serious security issues such as expanded attack surface and poorer permission control grow sharply with the level of customisation," the team concluded in a short six-page paper submitted for the 8th ACM Conference on Security & Privacy in Wireless and Mobile Networks.

El Reg approached representatives of Samsung directly for comment on the research by Xiaoyong Zhou et al into Android customisation, which is more detailed than the short paper put forward by Samsung boffins, but we're yet to hear back from the smartphone manufacturer. ®